On Children’s Day, it’s worth reflecting on a serious issue: how we handle the personal data of kids online. In the United States, the COPPA (Children’s Online Privacy Protection Act) requires websites and apps to obtain verifiable parental consent before collecting data from children under 13, and also limits how that data can be stored and used. But the rules aren’t always followed, for example, Disney was fined $10 million for allowing the collection of children’s data in videos incorrectly labeled on YouTube, violating COPPA.

And there’s more: Microsoft faced action from the FTC for failing to obtain parental consent before collecting personal data from children during Xbox sign-up. Amazon was fined $25 million for keeping children’s recordings and data through Alexa even after parents requested deletion.

In Europe, under the GDPR, there are also clear rules for processing personal and sensitive data, including children’s data, but enforcement still shows gaps, even though some companies have already been fined for mishandling kids’ profiles. In Brazil, the LGPD provides special protection for children and teenagers, requiring explicit consent, transparency, and a focus on safeguarding their privacy. The new Digital Child and Adolescent Statute (ECA Digital) will also fall under the National Data Protection Authority (ANPD). With the ANPD now upgraded to a regulatory agency, there’s hope this area will finally see real progress.

Sounds easy to comply? It’s not, but here are some practical (and sometimes hard-to-implement) tips, depending on your system’s architecture.

For age assurance, treat it as a security requirement with its own dedicated architecture. Build an Age & Consent Service as an isolated microservice, with APIs designed around privacy by design principles (data minimization, short retention, purpose limitation).

Support multiple verification methods depending on risk and context, such as:

• Guided self-declaration + progressive friction (for low-risk cases)

• Document verification using OCR + liveness (active or passive selfie) and face matching

• Age estimation by computer vision, only where allowed, always processed server-side with frames deleted right after the decision

• “Age > X” token via OpenID Connect for Identity Assurance (IdP attests age attributes through verifiable claims without revealing birth date)

• Verifiable Credentials (W3C VC) with selective disclosure or zero-knowledge proof for age range verification

All decisions should be logged immutably (e.g., hash-chain) and signed (like JWS), with keys stored in KMS and perimeter-level rate limiting and abuse protection.

For UX, use progressive profiling , increase verification level only when risk increases (e.g., purchases, open chats, or user-generated content).

For verifiable parental consent, implement a two-step parental binding:

1. Parent linkage: strong authentication (WebAuthn/passkey or OIDC) and one of the COPPA-accepted methods , microtransaction on a credit card, government ID + liveness, digital signature, call/video with an agent, or knowledge-based questions (where allowed).

2. Granular authorization by scope: issue a Consent JWT per child/app (scopes like profile.read, voice.store, ads.off, etc.), with expiration, revocation, and webhooks for consent changes.

Model consent as a versioned REST resource with event sourcing for audit trail, and use feature flags to toggle “strict/lenient” modes by jurisdiction. Store only proof tokens (e.g., parent_verified=true, age>13) and delete sensitive artifacts after the legal retention period. Encrypt PII at rest (AES-GCM) and in transit (mTLS). Run periodic risk assessments based on device, IP, and usage patterns.

Finally, include red team tests, remote kill switch, shadow mode before full enforcement, and automatic compliance reports (DPIA) generated from system events.

In short: it’s not easy ! and yes, it may reduce lead capture. But by building safer systems, you earn something far more valuable today: trust. And in an environment of higher trust, business growth follows naturally.

Let’s make sure children’s privacy laws stop being empty promises and start becoming real, enforceable rights. If countries can align technology, regulatory independence, and political will, we can finally protect those who still don’t have a voice.